Hackers Exploiting MS-SQL Servers To Attack Windows Server

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

MS-SQL Servers contain a multitude of sensitive information, which is why hackers often target them, enabling them to access critically important systems.

Exploiting these servers’ vulnerabilities allows threat actors to gain unauthorized access. These actors can execute unauthorized commands and potentially command whole networks, facilitating data stealing and ransomware deployment, among other malicious activities.

Cybersecurity researchers at ASEC recently identified that hackers actively exploit the MS-SQL servers to attack the Windows servers.

Hackers Exploiting MS-SQL Servers

Poor credential management and public internet exposure make MS-SQL servers a familiar attack vector for threat actors who target Windows systems.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Threat actors install malware such as ransomware, RATs, and backdoors to gain further control over the system after securing administrator access through brute-forcing.

Early detection of suspicious activities related to attacks on MS-SQL servers is possible by making use of a proper and robust Endpoint Detection and Response (EDR) solution that uses behavior-based engine monitoring.

As this enables administrators to identify root causes, take appropriate action, and introduce countermeasures against repeated threats that exploit this method of attack.

Detection logs displayed when an external user logs in successfully using an SQL admin account (Source – ASEC)

Threat actors commonly scan for MS-SQL servers with port 1433 open, then attempt to gain SQL admin access through brute-force or dictionary attacks against weak credentials, reads the report.

Some malware like LemonDuck can also self-propagate to poorly secured MS-SQL environments. 

While LemonDuck uses a hardcoded password list, others like Kingminer and Vollgar leverage brute-forcing externally exposed servers.

List of passwords used by LemonDuck (Source – ASEC)

SQL admin privileges only control MS-SQL databases but not the Windows OS directly, yet MS-SQL has functionalities such as xp_cmdshell and OLE automation procedures that allow the execution of OS commands.

Consequently, LemonDuck utilizes these to acquire initial SQL admin access and then it downloads and runs other malicious components.

A few even restore disabled capabilities in the procedure.

LemonDuck uses CLR .NET procedures along with xp_cmdshell for similar purposes, on the contrary MyKings employs extended stored procedures to load malicious DLLs.

Detection logs for the behavior of configuring the system to allow the execution of OS commands (Source – ASEC)

Threat actors can use features such as xp_cmdshell, OLE procedures, or the CLR SQLShell after configuring them for OS command execution to execute malicious code directly via the sqlservr.exe service.

Detection logs about MS-SQL service executing OS commands (Source – ASEC)

Administrators should apply strong credentials, patching, and restrict external access to MS-SQL instances, which are typically found together with ERP and business solutions, for risks to be reduced.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo